WordPress.org
Get WordPress

Plugin Directory

Changeset 2653917


Ignore:
Timestamp:
01/07/2022 01:18:18 AM (4 years ago)
Author:
milukove
Message:

escape widget output

File:
1 edited

Legend:

Unmodified
Added
Removed

  • yandex-money-button/trunk/includes/ymb-widget.php

    r2653907 r2653917  
    3232        include dirname( __FILE__ ) . '/ymb-icons.php';
    3333        echo  '<div class="widget wp-block-ymb-button"><form method="POST" action="https://money.yandex.ru/quickpay/confirm.xml" target="_blank">' ;
    34         echo  '<input type="hidden" name="receiver" value="' . $instance['receiver'] . '">' ;
     34        echo  '<input type="hidden" name="receiver" value="' . esc_attr($instance['receiver']) . '">' ;
    3535        echo  '<input type="hidden" name="quickpay-form" value="small">' ;
    36         echo  '<input type="hidden" name="targets" value="' . $instance['targets'] . '">' ;
    37         echo  '<input type="hidden" name="sum" value="' . $instance['sum'] . '">' ;
    38         echo  '<input type="hidden" name="paymentType" value="' . $instance['paymenttype'] . '">' ;
     36        echo  '<input type="hidden" name="targets" value="' . esc_attr($instance['targets']) . '">' ;
     37        echo  '<input type="hidden" name="sum" value="' . esc_attr($instance['sum']) . '">' ;
     38        echo  '<input type="hidden" name="paymentType" value="' . esc_attr($instance['paymenttype']) . '">' ;
    3939        echo  '<button type="submit" style="background: #ffdb4d; background-color: #ffdb4d; color: #ffffff;">' ;
    4040        echo  '<div class="wp-block-ymb-button-div">' ;
    4141        echo  $ymbIcons[$instance['paymenttype']] ;
    4242        echo  '</div>' ;
    43         echo  '<span class="wp-block-ymb-button-span" style="color: #000;">' . (( '' != $instance['content'] ? $instance['content'] : 'Перевести' )) . '</span>' ;
     43        echo  '<span class="wp-block-ymb-button-span" style="color: #000;">' . (( '' != $instance['content'] ? esc_html($instance['content']) : 'Перевести' )) . '</span>' ;
    4444        echo  '</button>' ;
    4545        echo  '</form></div>' ;
     
    137137        </p>
    138138        <?php
    139         $content = ( !empty($instance['content']) ? $instance['content'] : 'Перевести' );
     139        $content = ( !empty($instance['content']) ? esc_html($instance['content']) : 'Перевести' );
    140140        ?>
    141141        <p>
Note: See TracChangeset for help on using the changeset viewer.